An SQL injection is one method of attacks on Web servers. This is performed by using SQL for manipulating a database to illegally manipulate the database on a Web server.
As one example, a system shown in FIG. 1 will be described. Assume that a Web server 4 is provided with a login screen as shown in FIG. 2. On a terminal PC 2, a user inputs an own user ID and a password and submits them to the Web server (see numeral (1) of FIG. 1). The Web server 4 stores a record of a combination of the user ID and the password on a database 6 in advance. If the combination of the user ID and the password transmitted from the terminal PC 2 be matched with the record, the Web server 4 permits the user to access and transmits a next screen (see (3) to (6) of FIG. 1).
If there be no record matched with the combination of the user ID and the password transmitted from the terminal PC 2, the Web server transmits a screen indicating that the access is denied (see (3) to (6)).
As described above, unless the user correctly inputs the user ID and the password, the Web server does not give the user permission to access. Accordingly, an access authorization to the Web server is controlled.
In processing described above, the Web server 4 generates an SQL statement for searching the database based on the user ID and the password received from the terminal PC 2 (see (2)). Assume that the user enters input according to the screen shown in FIG. 2 and a user ID (uid) and a password (pwd) are respectively transmitted as “furutani” and “1cd45” from the terminal PC 2. The Web server 4 receives the user ID and the password, adds character strings in accordance with the following rule, and generates the SQL statement.
SELECT * FROM user WHERE uid=‘user ID’ AND pwd=‘password’ According to the above rule, the following SQL statement is generated when the user ID (uid) is “furutani” and the password (pwd) is “1cd45”.
SELECT * FROM user WHERE uid=‘furutani’ AND pwd=‘1cd45’ The Web server 4 provides the SQL statement to a database 6 (see (3)) and retrieves a determination result from the database 6 whether the user whose user ID (uid) is “furutani” and password (pwd) is “1cd45” is registered on the record or not (see (4)). In other words, when the user whose user ID (uid) is “furutani” and password (pwd) is “1cd45” is registered on the record, the logical value of “uid=‘furutani’ AND pwd=‘1 cd45’” becomes “1”, and the logical value becomes “0” when the user is not registered.
The Web server 4 accepts user privileges and permits the user to access when the logical value “1” is returned, and determines that the user is unauthorized and denies the access of the user when the logical value “0” is returned (see (5), (6)).
However, if an algorithm for generating the SQL statement as described above can be speculated, there is a possibility that an attack (SQL injection) as follows is performed.
An attacker enters a random name as the user ID (uid) from the terminal PC2. For example, the attacker inputs “ueno”. The following input is entered as the password (pwd).
’OR ‘A’=‘A
According to the algorithm described above, the following SQL statement is generated for such input.
SELECT * FROM user WHERE uid=‘ueno’ AND pwd=‘’OR ‘A’=‘A’ In this SQL statement, the logical value of the part of “uid=‘ueno’ AND pwd=‘”’ usually becomes zero (the expression “pwd=‘”’ means that the password is a null string). However, there is an expression “OR ‘A’=‘A’”, the logical value of the expression “‘A’=‘A’” always becomes “1”, and the expressions are combined by using an “OR” operator; therefore, the logical value always becomes “1” as a whole.
Accordingly, when the input as described above is entered, the logical value always becomes “1”, and even the user who does not have the password can illegally make access.
Thus, measures against such SQL injections are taken on the Web server 4 to reject the SQL injection to prevent unauthorized access. There are several types of SQL injection, and the Web server is not completely secured unless the measures against all types of SQL injection are taken.
Therefore, a diagnosis of the Web server 4 is performed whether the server has the vulnerability to such SQL injection or not (see Non-Patent Document 1). The diagnosis is achieved by a method as follows.
First, the access to the Web server to be diagnosed is made with a correct user ID and a password. The response to the normal access from the Web server is recorded as a normal response. In this case, the normal response includes the details shown as a result of permitting the access.
Next, the access by SQL injection (referred to as abnormal access) is made. The response to the abnormal access from the Web server is recorded as an abnormal response. When the Web server device does not permit access against an attack with SQL injection, the abnormal response includes the details shown as a result of not permitting the access (for example, an error screen and the like). In other words, when there is no vulnerability to SQL injection, the details of the normal response differ from those of the abnormal response.
On the other hand, if the Web server has the vulnerability to SQL injection attacks which the server permits access, the abnormal response becomes the same as the normal response.
As described above, the vulnerability to SQL injection can be determined by a comparison in which the response to the normal access is the same as or differs from the response to the abnormal access. According to the aforementioned method, the diagnosis can be performed by means of determination whether the normal response is the same as the abnormal response or not without determination of contents of the response by a human, and therefore the automation of the diagnosis can be achieved.